b"August 17, 2001\nAudit Report No. 01-021\n\n\nImprovements Can Be Made to the\nFDIC\xe2\x80\x99s Independent Security Review\nProcess\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\nWashington, D.C. 20434                                                                Office of Inspector General\n\n\n\n   DATE:           August 17, 2001\n\n   TO:\t            Donald C. Demitros, Chief Information Officer\n                   and Director, Division of Information Resources Management\n\n\n\n   FROM:\t          Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                   Assistant Inspector General for Audits\n\n   SUBJECT:\t       Improvements Can Be Made to the FDIC\xe2\x80\x99s Independent Security Review Process\n                   (Audit Report Number 01-021)\n\n\n   During 2000, the Division of Information Resources Management (DIRM) requested that the Federal\n   Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) perform an independent\n   security review (ISR) of the FDIC\xe2\x80\x99s mainframe computer system using the process and reporting\n   guidance contained in DIRM\xe2\x80\x99s own draft Risk Assessment/Independent Security Review and\n   Management Authorization Program Guide, dated August 25, 2000. We completed the review and\n   provided our final report to DIRM on December 29, 2000.\n\n   At the time of the initial request, DIRM also asked that we comment on process-related improvement\n   opportunities identified during our work on the ISR of the mainframe. Because we followed DIRM\xe2\x80\x99s\n   ISR process in performing our mainframe review, we were able to identify improvements that would\n   benefit DIRM\xe2\x80\x99s ISR program. These improvements are presented in this audit report.\n\n   The FDIC formalized its ISR process in 1997 with the initiation of the information technology risk\n   management program, a program designed to identify and mitigate information technology risks and\n   vulnerabilities. The OIG performed an audit of the FDIC\xe2\x80\x99s risk management program and issued a final\n   report on March 14, 2001. In addition to recommendations for the overall risk management program,\n   the report included recommendations addressing more specific ISR issues.\n   DIRM is currently reassessing its ISR approach and has agreed to take action on these\n   recommendations and give serious consideration to more recent informal suggestions to improve the\n   ISR program. DIRM has generally incorporated our recommendations and suggestions into its new\n   processes and actively involved us in designing a new framework for the ISR program. Although\n   DIRM has not formally documented these new processes, it has already taken action on several of the\n   suggestions contained in this report and is in the process of implementing others.\n\x0cBACKGROUND\n\nThe FDIC formalized its ISR program with the issuance of FDIC Circular 1310.3, Information\nTechnology Security Risk Management Program, dated November 24, 1997. The ISR program\nwas developed to address Office of Management and Budget Circular No. A-130, Management of\nFederal Information Resources (OMB A-130), which requires that independent security reviews of\ngeneral support systems and major applications be performed every 3 years. Although the FDIC is an\nindependent agency of the federal government, the FDIC determined that provisions of OMB A-130,\nAppendix III, establishing minimum controls for federal automated information security programs and\nlinking agency automated information security programs and agency management control systems, are\ngenerally applicable to the FDIC.\n\nISRs are designed to identify risks and vulnerabilities in general support systems and major applications\nand to provide recommendations for mitigating those risks. The reviews focus on data integrity,\nconfidentiality, and availability. OMB A-130 defines a major application as \xe2\x80\x9can application that\nrequires special attention to security due to the risk and magnitude of the harm resulting from the loss,\nmisuse, or unauthorized access to or modification of the information in the application.\xe2\x80\x9d OMB A-130\ndefines a general support system as \xe2\x80\x9can interconnected set of information resources under the same\ndirect management control which shares common functionality.\xe2\x80\x9d The FDIC has identified 24 major\napplications and 8 general support systems (one of which is the FDIC\xe2\x80\x99s mainframe) to be reviewed\nduring the 3-year cycle. DIRM spent more than $2 million in 2000 for its risk management and ISR\nprogram.\n\nAs described in DIRM\xe2\x80\x99s draft Risk Assessment/Independent Security Review and Management\nAuthorization Program Guide, the ISR is a four-phase process that includes planning a system\nreview, conducting a basic evaluation, conducting a detailed evaluation, and preparing an ISR evaluation\nreport. During the system review planning phase, the ISR review team \xe2\x80\x93 an internal or contractor team\n\xe2\x80\x93 develops a technical description of the general support system or application and defines and\ndocuments review boundaries. The review team also identifies and documents security and integrity\nrequirements \xe2\x80\x93 those related to the system or application under review and contained in federal and\nFDIC regulations and directives.\n\nThe team then performs a basic evaluation to verify that security controls have been implemented and a\ndetailed evaluation to determine whether controls are functioning properly, cannot be circumvented, and\nsatisfy performance criteria. The review team then summarizes the results in three separate reports: the\nSystem Evaluation Report (SER), the Control Matrix Report (CMR), and the ISR Evaluation Report.\nThe report formats are standardized through reporting templates developed by a DIRM contractor\nhired to perform ISRs for the FDIC. The SER contains the review team\xe2\x80\x99s detailed findings along with\nrecommended corrective actions. The SER also provides the reader with documents from the system\nplanning phase, including the security and integrity requirements, the system description, and the\nindependent review boundaries. Summary information on personnel interviewed, documents reviewed,\ntests conducted, and observations made is also presented in the SER.\n\n\n\n\n                                                    2\n\n\x0cThe CMR contains a series of matrices that captures the related security and integrity requirements, the\nexisting security and integrity control measures that fulfill these requirements, findings related to\ninsufficient or nonexistent controls, and data security objectives that are answered by the control\nmeasures. The matrices summarize the threats that are mitigated by the identified security and control\nmeasures, summarize the sources used by the review team to verify the existence of the security and\ncontrol measures (e.g. documentation, interviews, tests, and observations), and identify the security and\nintegrity requirements not met by existing security and integrity control measures. For the requirements\nnot met, the review team rates the likelihood of the vulnerability being exploited and the operational\nimpact that may occur. The team also assigns a resulting priority value that helps FDIC management\nprioritize the vulnerabilities and allocate resources to address the identified vulnerabilities.\n\nThe final ISR Evaluation Report consolidates and summarizes the review findings, vulnerabilities, level of\nrisk, and recommended corrective actions and once again presents the system description, review\nboundaries, and security and integrity requirements. The ISR Evaluation Report also contains a\nrecommended Management Authorization Statement, authorizing use of the general support system or\nmajor application subject to certain conditions. FDIC management can opt to accept certain risks\nbased on reasonable and documented operational necessity by considering the identified system\nvulnerabilities and the existence of compensating controls and/or complete the recommended corrective\nactions within agreed-upon timeframes.\n\nThe ISR reports are most useful to \xe2\x80\x9cclients\xe2\x80\x9d or system owners/users and FDIC management who need\nto be informed of risks and vulnerabilities associated with the FDIC\xe2\x80\x99s major applications and general\nsupport systems so that decisions can be made on authorizing the systems for use and taking corrective\nactions. The reports are also important to the oversight manager\xe2\x80\x99s evaluation of the ISR team\xe2\x80\x99s work\nand subsequent contractor billings, if any.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this report and our limited audit procedures was to identify and develop process-\nrelated observations and suggestions for improving the ISR program. We based our conclusions and\nsuggestions on our experience while performing the ISR of the mainframe and our audit work related to\nthe FDIC\xe2\x80\x99s information technology risk management program.\n\nTo further meet our objective, we held discussions with an OICM official responsible for monitoring a\nDIRM contractor\xe2\x80\x99s performance of the ISR of the Financial Information Management System General\nLedger (FIMS-G/L) to obtain his observations on the process. Following those discussions, we\nanalyzed the official\xe2\x80\x99s review notes and correspondence with the contractor and the FDIC oversight\nmanager and the official\xe2\x80\x99s recommendations for changes to the ISR program. We drew conclusions\nbased on our analysis of OICM\xe2\x80\x99s documentation and noted our concurrence with the official\xe2\x80\x99s concerns\nand conclusions.\n\n\n\n\n                                                    3\n\n\x0cWe performed the additional audit procedures between January and April 2001 in accordance with\ngenerally accepted government auditing standards.\n\n\nRESULTS OF REVIEW\n\nThe ISR program can be enhanced to better serve as an effective management tool for detecting\nsecurity weaknesses. The following is a summation of those improvements as they relate to planning,\nperformance, and reporting. An additional suggested improvement, obtaining client feedback, relates to\nall phases of the ISR.\n\n\xe2\x80\xa2    DIRM needs to further develop and enhance its ISR program policy.\n\n\xe2\x80\xa2\t   DIRM could improve the ISR program by ensuring that in subsequent review cycles, high-risk\n     components of general support systems receive individual, more in-depth reviews.\n\n\xe2\x80\xa2\t   DIRM\xe2\x80\x99s point of contact needs to be more involved to ensure that the team develops an adequate\n     test plan for confirming that controls are working as intended.\n\n\xe2\x80\xa2\t   DIRM could significantly improve reporting and management decision-making by streamlining the\n     three ISR reports, consolidating them into one report, and developing separate formats for\n     application and general support system reviews.\n\n\xe2\x80\xa2\t   DIRM needs to ensure that the ISR team obtains client input throughout the ISR process, most\n     importantly as part of the team\xe2\x80\x99s efforts to develop an understanding of the client\xe2\x80\x99s environment.\n\n\xe2\x80\xa2\t   DIRM could also improve the ISR process by encouraging discussions between DIRM, the ISR\n     team, and the client to reach a consensus and a clear understanding of the issues identified during the\n     ISR.\n\nDuring the course of our review, DIRM acknowledged weaknesses in its ISR program and draft ISR\npolicy and began to address those weaknesses. The OIG and DIRM met informally on several\noccasions and exchanged ideas for redesigning the program. DIRM has also initiated corrective actions\nin response to recommendations presented in our risk management audit report. The suggestions within\nthis report are intended to aid DIRM in its efforts to revamp the ISR program and move forward to\nformalize program policy. As part of its ISR program redesign efforts, DIRM decided to discontinue its\nuse of contractors, who at one time performed the ISRs in their entirety.\n\n\nTHE ISR PLANNING PROCESS COULD BE IMPROVED\n\nDIRM\xe2\x80\x99s ISR planning process could be improved by further developing policy for the ISR program,\nincluding sample documents, review procedures, and test requirements for general\n\n\n\n\n                                                     4\n\n\x0csupport system ISRs. The draft policy could also be enhanced by requiring an evaluation of FDIC IT\nsecurity policies and standards against applicable federal regulations to ensure that criteria used for the\nISRs is consistent with governing regulations.\n\nSample Documents Should Be Developed for General Support System ISRs\n\nDIRM had not developed sample documents that could be used during the system review planning\nphase to document the system description and the independent review boundaries for general support\nsystem ISRs. Although DIRM, in conjunction with the ISR of the mainframe, provided us with sample\ndocuments that would be helpful in planning a review of a major application, DIRM did not have sample\ndocuments available for the review of a general support system because an ISR of a general support\nsystem had not yet been completed. Because different language needs to be included in the planning\ndocuments for major applications and general support systems to comply with applicable federal\nregulations, it is important that DIRM develop sample documents to assist the review teams in their\nplanning efforts.\n\nOMB A-130 refers to National Institute of Standards and Technology (NIST) Special Publication 800-\n18, Guide for Developing Security Plans for Information Technology Systems, dated December\n1998. NIST, an entity within the United States Department of Commerce, is charged with developing\ngenerally accepted system security principles and practices for the federal government. NIST 800-18\ncontains descriptions of general support system operational and technical controls that should be\nincluded in general support system ISRs; thus, the controls should be referenced in the system review\nplanning documents. For the ISR of the mainframe, the OIG review team had to make numerous\nrevisions to the major application sample documents to incorporate the necessary general support\nsystem language and ensure compliance with NIST 800-18. Consequently, DIRM\xe2\x80\x99s development of\nsample system descriptions and review boundaries documents for general support system ISRs would\nbenefit the ISR process in two ways. The sample documents would lessen the time required for the\nreview teams to develop the proper documents and ensure compliance with the pertinent regulations.\n\nReview Procedures and Test Requirements Should Be Developed for General Support\nSystem ISRs\n\nDIRM had not developed ISR review procedures or test requirements that addressed security\nconsiderations applicable to general support systems. DIRM\xe2\x80\x99s draft policy was focused primarily on\nreviews of major applications, leaving the review teams with a need for specific guidance on general\nsupport systems. DIRM should develop specific guidance in the form of review procedures and test\nrequirements that consider general support system controls and guide the review teams in performing\ngeneral support system ISRs.\n\nBecause of the inherent differences between major applications and general support systems as defined\npreviously, OMB A-130 and NIST 800-18 separately describe the security controls required for major\napplication and general support system ISRs. DIRM\xe2\x80\x99s draft Risk\n\n\n\n\n                                                     5\n\n\x0cAssessment/Independent Security Review and Management Authorization Program Guide does\nnot make that distinction, but rather combines the discussion of major application and general support\nsystem security controls and requirements, focusing primarily on major applications. DIRM needs to\ndevelop policies and procedures that will address those distinctions along with review procedures and\ntest requirements that take into account general support system controls. By doing so, DIRM could\nensure that the review teams do not improperly omit requirements that are specific to general support\nsystems such as physical security, access and environmental controls, separation of duties, and\ncontinuity of operations \xe2\x80\x93 omissions that could negatively impact the quality and effectiveness of the\nreview and compliance with OMB A-130 and NIST 800-18.\n\nThe ISR Process Should Include an Evaluation of FDIC IT Security Policies and Standards\nAgainst Governing Federal Regulations and Guidance\n\nIn planning the ISR, the review team establishes security and integrity requirements and criteria for the\nreview by identifying FDIC IT security policies and standards and federal regulations applicable to the\nsystem under review. DIRM could improve this process by requiring an evaluation of FDIC IT security\npolicies and standards against governing federal regulations to ensure that the FDIC\xe2\x80\x99s security policies\nand standards are adequate and consistent with federal regulations. After performing an initial full\nassessment, periodic assessments could be performed to ensure consistency with updated regulations\nand to reflect changes in the environment.\n\nFDIC Circular 1310.3 mandates that general support systems and major applications undergo a\nperiodic ISR. The method used for performing the ISR involves assessing the degree to which security\nand integrity requirements are satisfied for the system or application under review. ISR security and\nintegrity requirements are formulated by drawing from applicable federal regulations, such as OMB A-\n130, and FDIC IT security policies and standards, such as FDIC Circular 1360.10, Corporate\nPassword Standards. The draft Risk Assessment/ Independent Security Review and Management\nAuthorization Program Guide and Circular 1310.3 provide for using FDIC IT security policies and\nstandards to establish ISR security and integrity requirements but do not require an evaluation of the\nFDIC's IT security policies and standards against governing regulations to ensure consistency.\nConsequently, the existing ISR process may not provide full assurance that FDIC IT security policies\nand standards conform to continually evolving federal computer security laws, regulations, standards,\nand best practices. Ensuring that FDIC IT security policies and standards conform to federal laws,\nregulations, standards, and best practices is increasingly important because of the increased focus on\nsecurity and the rapid changes in technology, related guidance, and best practices.\n\nBy first performing a full assessment of its IT security policies and standards and then performing\nperiodic assessments to ensure consistency with updated regulations, standards, and best practices and\nto reflect changes in the environment, the FDIC can ensure that criteria used for the ISRs is consistent,\nrelevant, and appropriate. Such an ISR process change will improve the effectiveness and efficiency of\nthe FDIC ISR process by precluding the use of outdated and ineffective security and integrity\nrequirements.\n\nWe suggest that the FDIC Chief Information Officer and DIRM Director ensure that DIRM\xe2\x80\x99s draft ISR\npolicy is further developed, enhanced, and implemented for major applications and general support\nsystems. In so doing, the FDIC Chief Information Officer and DIRM Director should ensure that:\n\n                                                    6\n\n\x0c(1) Sample documents are developed for general support system ISRs to ensure the efficiency of the\n    ISR process and compliance with pertinent federal regulations.\n\n(2) Review procedures and test requirements for use in performing general support system ISRs are\n    developed to ensure the ISRs\xe2\x80\x99 compliance with OMB A-130 and NIST 800-18.\n\n(3) For major applications and general support systems, an initial assessment and then periodic updates\n    of FDIC IT security policies and standards are performed to ensure consistency with governing\n    federal regulations, standards, and best practices.\n\n\nDIRM COULD IMPROVE GENERAL SUPPORT SYSTEM ISRs AND INCREASE ISR\nOVERSIGHT\n\nDIRM could improve the ISR program by ensuring that in subsequent review cycles, high-risk\ncomponents of general support systems receive individual security reviews. DIRM could also improve\nthe program by increasing oversight of the performance of the ISRs.\n\nHigh-risk Components of a General Support System Should Have Individual Security\nReviews\n\nIn our audit of the risk management program, we identified the need for DIRM to conduct ISRs of\ngeneral support systems prior to performing ISRs of major applications. By doing so, DIRM could\nprevent the inclusion of redundant and non-application-specific findings and corrective actions in the\nvarious application ISRs and improve the ISRs\xe2\x80\x99 quality and effectiveness. Another method for\nimproving quality and effectiveness (once general support system ISRs are completed and a baseline is\nestablished) is to segment ISRs of general support systems such as the mainframe into multiple reviews\nspread out over the 3-year review cycle.\n\nDIRM\xe2\x80\x99s current ISR procedures of including all components of a general support system in a single\nreview satisfy OMB A-130 requirements. OMB A-130 instructs agencies to \xe2\x80\x9creview the security\ncontrols in each system when significant modifications are made to the system, but at least every three\nyears. The scope and frequency of the review should be commensurate with the acceptable level of risk\nfor the system.\xe2\x80\x9d Performing subsequent reviews of individual components could be less burdensome,\npromote a more detailed and focused approach to completing the ISRs, and result in more in-depth\nreviews that provide better assurances about the security and integrity controls of high-risk components\nof the FDIC IT environment. Additionally, milestones for completing the ISRs could be set more\nrealistically in line with the size of the component under review. DIRM indicated that it would consider\nthis approach after its ISR program had matured, but felt that\n\n\n\n\n                                                   7\n\n\x0cresource constraints and the additional time needed to rank risks necessitated delaying a decision on this\napproach.\n\nDIRM schedules ISRs for its general support systems at least once every 3 years in accordance with\nOMB A-130 requirements, commensurate with the acceptable level of risk for the system. The layered\ncomponents of the mainframe, such as Computer Associates Access Control Facility2 (CA-ACF-2),\ndatabase packages (DB2 and DATACOM)), Customer Interface Control System (CICS), and the\noperating system (OS/390), individually involve functions and transactions that pose a high level of risk\nto the FDIC IT environment and warrant in-depth individual reviews. OMB A-130 recognizes that the\ngreatest security risk comes from authorized individuals engaging in improper activities, whether\nintentional or accidental. The layered components include technical, operational, and management\ncontrols that are used to prevent and detect these improper activities. Such controls are intended to\nensure individual accountability, \xe2\x80\x9cleast privilege,\xe2\x80\x9d and separation of duties. OMB A-130 defines least\nprivilege as \xe2\x80\x9cthe practice of restricting a user\xe2\x80\x99s access (to data files, to processing capability, or to\nperipherals) or type of access (read, write, execute, delete) to the minimum necessary to perform his or\nher job.\xe2\x80\x9d\n\nThe recently completed ISR of the mainframe included a security review of the OS/390 operating\nsystem and the layered products CA-ACF2, DB2, and DATACOM. If these components had been\nreviewed individually, the reviews could have been more in-depth and meaningful. Individual in-depth\nreviews could have provided better assurance that security and integrity controls of these high-risk\ncomponents (1) were functioning properly, (2) satisfied performance criteria, and (3) were unable to be\ndisarmed or circumvented.\n\nFurther Improvements Should Be Made to ISR Oversight\n\nIn our report on DIRM\xe2\x80\x99s risk management program, we noted improvements that could be made to\noversight to enhance the ISR process. In particular, we recommended that DIRM modify the ISR\nprocedure manual to require adequate working papers from contractors to support ISR findings and\nconfirmation of major controls. We also recommended modifying the manual to require a timely review\nand approval of contractor working papers and invoices by the FDIC program or oversight manager.\nWe identified additional oversight improvements that should be made based on our discussions with an\nOICM official and our review of OICM\xe2\x80\x99s documentation related to the ISR of FIMS-G/L.\n\nMost notably, OICM\xe2\x80\x99s experience revealed the need for more involvement by DIRM\xe2\x80\x99s point of contact\nto ensure that the ISR team (internal or contractor team) develops an adequate test plan to confirm that\ncontrols are working as intended. The OICM official found that testing performed by the contractor\nwas not always adequate and, in some cases, the contractor relied on information provided during\ndiscussions rather than performing actual testing. By obtaining a test plan from the ISR team and\nverifying its adequacy, DIRM could better ensure that the team\xe2\x80\x99s review will be sufficient to confirm that\ncontrols are working as intended. OICM\xe2\x80\x99s experience also reflected the need for a timeline from the\nteam to ensure that adequate time has been allotted for (1) finalizing supporting working papers and\ndraft deliverables, (2) reviewing working papers and deliverables and resolving reviewer comments, and\n(3) obtaining feedback from the clients and making appropriate report revisions. These oversight\nimprovements could have a positive impact on the reliability and effectiveness of the ISRs by ensuring\nthe adequacy and completeness of the ISR team\xe2\x80\x99s work.\n\n                                                    8\n\n\x0cOICM also documented concerns similar to those noted in our audit of DIRM\xe2\x80\x99s risk management\nprogram. Those concerns related to the need for obtaining adequate working papers from the\ncontractor to support all ISR findings, conclusions, and tests of major controls; and performing a timely\nreview of all supporting working papers prior to draft report issuance. In response to our audit of the\nrisk management program, DIRM agreed with the need to obtain supporting working papers from the\ncontractor and improve working paper reviews. DIRM also responded that it would consult with the\nOIG to develop working paper standards. DIRM\xe2\x80\x99s recent adoption of an audit-type approach for the\nISRs should address the needed working paper improvements.\n\nDIRM has indicated that it would use internal review teams in lieu of contractors to perform future ISRs.\n Such actions would be consistent with our prior informal suggestions to DIRM and suggestion number\n11 of this audit report.\n\nWe suggest that the FDIC Chief Information Officer and DIRM Director ensure that:\n\n(4) Changes are made to the ISR program after ISRs of general support systems are completed and a\n    baseline is established so that: (a) general support system components that warrant individual\n    reviews are planned and conducted individually to enhance their value; (b) individual support system\n    components, particularly mainframe components that would warrant individual ISRs based on OMB\n    A-130 guidelines, are identified, scheduled, and prioritized based on their relative risk to the\n    Corporation; and (c) milestones for completing the ISRs are set based on the size of the\n    component.\n\n(5) Improvements are made to oversight to increase the involvement of DIRM\xe2\x80\x99s point of contact and\n    ensure that the ISR team: (a) develops an adequate test plan for confirming that controls are\n    working as intended and (b) provides a timeline that allows adequate time for finalizing supporting\n    working papers and draft deliverables, reviewing working papers and deliverables and resolving\n    reviewer comments, and obtaining feedback from the clients and making the appropriate report\n    revisions. In its adoption of an audit-type approach for the ISRs, DIRM should continue its efforts\n    to require adequate working papers to support all ISR findings, conclusions, and tests of major\n    controls and to ensure a timely review of all working papers.\n\n\nISR REPORT FORMAT SHOULD BE MODIFIED TO IMPROVE CLARITY AND\nUSEFULNESS\n\nDIRM\xe2\x80\x99s ISR reporting process could be improved by streamlining the reports to benefit both the client\nand the review team and enhancing the reporting format to clearly identify the work performed and level\nof review.\n\n\n\n\n                                                    9\n\n\x0cThe ISR Reporting Format Should Be Streamlined\n\nIn developing reports for the ISR of the mainframe, we noted that the current ISR reporting format\nresulted in a voluminous report containing redundancies and inconsistencies, making it difficult for the\nclient to discern the important issues. The reporting format was also cumbersome and time-consuming\nfor the review team to complete, a condition that may have increased billable time for contractor-\nprepared reports and could increase the cost of internal resources needed for future ISRs.\nConsequently, we believe the reporting format should be streamlined.\n\nThe three reporting vehicles \xe2\x80\x93 the CMR, the SER, and the ISR Evaluation Report \xe2\x80\x93 were developed by\na DIRM contractor in an effort to comply with various federal regulations. The various reports restate\nreview findings, recommended corrective actions, and other ISR information in different and similar\nformats. The reports contain repetitive executive summaries, review scopes, review methodologies,\nevaluation methodologies, system descriptions, independent review boundaries, and introductions.\nAmong the three reports, findings and/or recommended corrective actions, security and integrity\nrequirements and/or control measures, and tests conducted/vulnerabilities are presented numerous\ntimes in various formats.\n\nThe ISR reports are intended for use by \xe2\x80\x9cclients\xe2\x80\x9d or system owners/users, FDIC management, and the\nDIRM oversight manager. The reports should inform clients and FDIC management of risks and\nvulnerabilities associated with the FDIC\xe2\x80\x99s major applications and general support systems so that\ndecisions can be made on authorizing the systems for use and taking corrective actions. The reports\nalso are important to the oversight manager\xe2\x80\x99s evaluation of the team\xe2\x80\x99s work and subsequent billings\nshould contractors be used for future ISRs. However, the voluminous and redundant nature of the\nreports makes it difficult for the various users to effectively use the information contained in them.\n\nThe redundancy of the three reports also creates problems with consistency. As noted by the OIG\nreview team and OICM, a change made to the reports had to be made in several places, often resulting\nin errors to the draft reports when the change was not reflected throughout the three reports. For\nexample, if a recommended corrective action was changed, the change had to be made six times \xe2\x80\x93 in\nthree sections of the ISR Evaluation Report, two sections of the SER, and one section of the CMR. If\nall occurrences of the same information were not changed, conflicting and confusing information could\nhave been conveyed to the client. During OICM\xe2\x80\x99s review of the final draft report for FIMS G/L,\nOICM\xe2\x80\x99s review notes indicated that the CMR included issues that had been deleted from the remainder\nof the report. These issues involved a potential heating and air conditioning (HVAC)-related exposure\nthat was determined not to be a risk and a potential exposure involving the Virginia Square garage\ndoors that was determined to be an acceptable risk with compensating controls in place.\n\nBy streamlining the three reports and consolidating them into one report, duplicate information can be\neliminated thereby resolving the consistency issue. Additionally, because of the inherent differences\nbetween an application review and a general support system review, developing separate reporting\nformats for application and general support system reviews would also be an\n\n\n\n\n                                                   10\n\n\x0cimportant enhancement. Together, these enhancements could increase the ISR report\xe2\x80\x99s readability and\neffectiveness and lessen the report preparation time and associated costs.\n\nThe ISR Report Should Clearly Identify the Work Performed\n\nThe ISR report format did not provide a clear identification of the work performed for the ISR, the level\nof testing, or the sampling methodology. The format also promoted the presentation of information and\nconclusions on issues not specifically related to the system under review, a concern similar to one\naddressed in our audit of the risk management program. Providing the client with a clear indication of\nthe level or depth of review is important for adding perspective to the ISR results and conclusions and\nfor aiding the oversight manager in his/her review and approval of the team\xe2\x80\x99s work and subsequent\ncontractor billings, if any. Because of DIRM\xe2\x80\x99s reliance on the ISR team\xe2\x80\x99s work and the impact of that\nwork on FDIC operations, it is important that all parties have a clear understanding of the extent of the\nreview.\n\nThe report format provides a list of tests performed for the ISR. However, the matrices and other\nreporting sections do not provide additional descriptive information, such as the level of testing\nperformed, to confirm that controls are working as intended or the sampling approach and methodology\nused for testing. Consequently, such information is not conveyed to the client through the reports.\n\nTo compound this issue, the report format allows for issues or areas to be addressed that are not\nspecific to the general support system or application under review, resulting in the inclusion of issues that\nwere identified for other ISRs. Not only can this confuse the client and limit his/her understanding of the\nISR, it may also make it more difficult for the oversight manager to identify the work that was actually\nperformed for the ISR and determine whether the work and level of effort incurred by the team and/or\nbilled by the contractor was reasonable.\n\nWe suggest that the FDIC Chief Information Officer and DIRM Director ensure that:\n\n(6) The ISR reporting format is streamlined in a manner that will highlight the important issues, better\n    serve the client, and expedite the reporting process.\n\n(7) Two separate reporting formats are developed \xe2\x80\x93 one format for ISRs of major applications and a\n    second format for ISRs of general support systems.\n\n(8) The ISR report format is enhanced to clearly identify the work performed, level of testing, and\n    sampling methodology.\n\n(9) The ISR report format is revised to clearly present the security and integrity requirements,\n    conclusions, corrective actions, and related information applicable to the major application or\n    general support system under review.\n\n\n\n\n                                                     11\n\n\x0cISRs SHOULD INCLUDE CLIENT FEEDBACK\n\nThe contractor hired by DIRM to perform ISRs did not always obtain the client\xe2\x80\x99s views or incorporate\nthose views or comments into the various planning, performance, and reporting documents. According\nto the contractor, client feedback and concurrence was not always obtained or incorporated into the\nISR documents because of the independent nature of the review. However, OMB A-130 states that\n\xe2\x80\x9csecurity controls may be reviewed by an independent audit or a self review. The type and rigor of\nreview or audit should be commensurate with the acceptable level of risk that is established in the rules\nfor the system and the likelihood of learning useful information to improve security.\xe2\x80\x9d\n\nWe believe that client input should be obtained during all phases of the ISR, including the planning phase\nwhen the system description and independent review boundaries are determined and the evaluation and\nreporting phases when the results, conclusions, and corrective actions are drafted. Obtaining client\ninvolvement or feedback during the planning phase can assist the review team in gaining a thorough\nunderstanding of the user and the environment, identifying high-risk areas, and setting boundaries for the\nreview, resulting in a more valuable and useful product for the client. During the evaluation and\nreporting phases, client feedback on results, conclusions, and proposed corrective actions can help\nensure the accuracy of the ISR data and the usefulness of the corrective actions.\n\nObtaining client involvement can be accomplished through the use of a divisional or interdivisional\nreview team to perform all or some phases of the ISR. Such a team could benefit the ISR program by\neliminating or reducing contractor involvement and increasing the value and usefulness of the ISR to the\nclient.\n\nDuring our audit of the risk management program, we interviewed clients from divisions that recently\nwere involved in the ISR process. Those divisions included the Division of Supervision, the Division of\nFinance, and the Division of Resolutions and Receiverships. Division managers expressed concerns that\nresponsible division personnel were not contacted at any time during the ISR process. As a result, the\nmanagers believed that the contractor lacked an understanding of the user, the environment, and the\nhigh-risk areas, causing the ISR reports and corrective actions to be less than fully effective.\nAdditionally, although most division managers acknowledged receipt of the draft reports, they stated\nthat feedback or comments provided to the contractor on findings and corrective actions were not\nalways included in the final reports. All in all, managers expressed a lack of confidence when signing the\nManagement Authorization Statement.\n\nFor an ISR report to be an effective management tool, it should be complete, accurate, objective,\nconvincing, clear, and concise. One of the most effective ways to accomplish this is to provide the client\n(i.e., responsible officials) with copies of the draft reports for their review and comment and include\nthose comments in the final ISR report. The officials\xe2\x80\x99 comments should indicate their agreement or\ndisagreement with the findings, corrective actions, and other information presented in the reports; the\nbasis for the agreement/disagreement; and plans for resolution. The draft Risk\nAssessment/Independent Security Review and Management Authorization Program Guide allows\nfor obtaining client feedback throughout the ISR process and instructs the team to provide the client\nwith a draft SER, CMR, and ISR Evaluation Report for review and comment. The team is then to\nrevise the reports and prepare a final ISR Evaluation Report incorporating the client comments. The\nguide also requires the team to submit various planning documents to the client for review and comment,\nincluding the system description, the independent review boundaries, and the security and integrity\n                                                        12\n\n\x0ccontrol requirements.\n\nDiscussions between DIRM, the ISR team, and the client could also improve the process. Should the\nteam disagree with the client\xe2\x80\x99s response, discussions could be held to reach a consensus or\nunderstanding of the issue and how it will be treated for reporting purposes. DIRM\xe2\x80\x99s point of contact\ncould also ensure that disagreements with the ISR team, such as those related to findings, corrective\nactions, work performed, or other report information, are resolved prior to issuing the draft ISR reports.\n OICM noted that there is not a process or method in place to resolve disagreements between the point\nof contact and the ISR team. DIRM agreed that a resolution vehicle is needed and responded that with\nits new audit-type approach for the ISRs, OICM will now play the role of dispute mediator.\nAdditionally, OICM commented that DIRM\xe2\x80\x99s actions in transferring responsibility for the ISR program\nto DIRM\xe2\x80\x99s Information Technology Evaluation Section resolve potential objectivity concerns that could\narise between the DIRM Information Security Staff and the ISR team.\n\nWe suggest that the FDIC Chief Information Officer and DIRM Director ensure that:\n\n(10)    Client feedback is obtained and considered during all phases of the ISR.\n\n(11)\t   Consideration is given to using a divisional or interdivisional team to perform certain phases or\n        all phases of the ISR.\n\n(12)\t   All ISR reports contain the views of responsible officials concerning conclusions,\n        recommendations, and planned corrective actions.\n\n(13)\t   A process or method is developed for resolving disagreements between the point of contact and\n        the ISR team.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn August 13, 2001, the FDIC\xe2\x80\x99s Chief Information Officer (CIO) and DIRM Director provided a\nwritten response to the suggestions contained in the draft report. The CIO and DIRM Director\xe2\x80\x99s\nresponse is presented in Appendix I of this report. The CIO and DIRM Director generally agreed with\nthe information presented in the report with the exception of suggestion 4. With respect to suggestions\n1 through 3 and 5 through 13, DIRM responded that it has begun to revise the ISR procedures manual,\nthe ISR report format, and the ISR process to incorporate our suggested improvements.\n\n\n\n\n                                                    13\n\n\x0cA summary of the CIO and DIRM Director\xe2\x80\x99s response to suggestion 4 and our analysis follows.\n\n    Ensure changes are made to the ISR program after ISRs of general support systems are\n    completed and a baseline is established so that: (a) general support system components\n    that warrant individual reviews are planned and conducted individually to enhance their\n    value; (b) individual support system components, particularly mainframe components that\n    would warrant individual ISRs based on OMB A-130 guidelines, are identified, scheduled,\n    and prioritized based on their relative risk to the Corporation; and (c) milestones for\n    completing the ISRs are set based on the size of the component (suggestion 4): The CIO\n    and DIRM Director disagreed with this suggestion. The CIO and DIRM Director stated that\n    component reviews may provide more in-depth coverage but also would entail significant resources\n    because of an increase in the number of reviews that would need to be conducted. The CIO and\n    DIRM Director stated that the Sensitivity Assessment Questionnaire (SAQ) that measures the risk\n    of major applications is undergoing revision as recommended in the OIG\xe2\x80\x99s Risk Management audit\n    report (Audit Report No. 01-007). Further, the CIO and DIRM Director stated that he expects,\n    although is not certain, that the revised SAQ will reduce the number of major applications and, thus,\n    save money and resources and increase the quality of the remaining ISRs \xe2\x80\x93 all objectives of the\n    OIG\xe2\x80\x99s Risk Management audit. The CIO and DIRM Director responded that it seems contrary to\n    seek to reduce reviews in one area and increase them in another. The savings in cost, the reduction\n    in resources, and the increased quality of the reviews would be lost.\n\n    The CIO and DIRM Director also responded that although these component reviews might be\n    smaller if spread out, the burden on DIRM\xe2\x80\x99s internal clients will increase if component-based ISRs\n    are performed in their program areas every year instead of once every three years. He also stated\n    that these areas already receive audit coverage from the OIG and GAO. Further, the CIO and\n    DIRM Director responded that recent general support system audits have not identified any\n    significant threats to the Corporation. OMB A-130, Appendix III states that \xe2\x80\x9cthe scope and\n    frequency of the review should be commensurate with the acceptable level of risk for the system,\xe2\x80\x9d\n    and the \xe2\x80\x9clikelihood of learning useful information to improve security.\xe2\x80\x9d The CIO and DIRM\n    Director stated that at this time, DIRM believes that breaking general support systems into\n    components for review would not significantly improve security for these systems.\n\nBreaking general support systems into components for review allows DIRM to better focus on\nsignificant risks in those systems, and to provide greater assurance that security and integrity controls\nfunction properly, satisfy performance criteria, and are unable to be disarmed and circumvented.\nAccordingly, as DIRM officials indicated they would do during our review, we suggest the division\nreconsider its decision as the ISR process matures so there is more information and experience on\nwhich to make such a determination.\n\nBecause our report contained suggestions rather than formal recommendations, a management decision\nwas not required.\n\n\n\n\n                                                     14\n\n\x0cIn its response, DIRM referred to \xe2\x80\x9cconfusion\xe2\x80\xa6as to the role of your staff when they are asked to\nparticipate in the design and development of a process.\xe2\x80\x9d The OIG welcomes opportunities to work\nwith management as it develops programs and systems, and anticipates we will continue to do so. We\nhave flexibility in the manner in which we carry out our reporting responsibility under government\nauditing standards and make decisions in that regard on a case-by-case basis. Those decisions depend\nupon, among other things, the subject of our audit, the audit scope and methodology, and the\nsignificance of our findings. In this case, as we noted in our draft report transmittal, we believed the\nsignificance of independent security reviews warranted our providing management with an opportunity\nto review and comment on the findings and suggestions. Accordingly, we issued an \xe2\x80\x9caudit report\xe2\x80\x9d to\nprovide management with a mechanism to do so and have included management\xe2\x80\x99s comments in their\nentirety as an appendix to this report.\n\n\n\n\n                                                   15\n\n\x0c                                                                                            APPENDIX I\nFederal Deposit Insurance Corporation\n3501 Fairfax Dr., Arlington, VA 22226                                             Office of the Chief Information Officer\n\n\n                                                                     August 9, 2001\n\n\n\n\nTO:\t                   Stephen M. Beard\n                       Deputy Assistant Inspector General\n\nFROM:                  Donald C. Demitros [Electronically produced version; original signed by Donald C.\n                               Demitros]\n                       Chief Information Officer\n\n\nSUBJECT:\t              Draft Report Entitled Improvements Can Be Made to the FDIC\xe2\x80\x99s\n                       Independent Security Review Process\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft report and,\nwith the exception of the fourth suggestion, generally agrees with the information presented. We\nappreciate the professional efforts of the Inspector General\xe2\x80\x99s (IG\xe2\x80\x99s) staff who have worked diligently\nwith DIRM managers and provided valuable insights and suggestions throughout this effort. However,\nalthough your memo indicates that the report is not an audit, the second to last sentence of the memo\ncalls it a \xe2\x80\x9cdraft audit report\xe2\x80\x9d. In addition, the first page of the report says improvements are presented\nin this \xe2\x80\x9caudit report\xe2\x80\x9d. There already is an outstanding audit of this process; further, DIRM requested\nyour staff\xe2\x80\x99s participation and comments on our process. There appears to be confusion as to the role of\nthis document; but, more importantly, the role of your staff when they are asked to participate in the\ndesign and development of a process.\n\nWith regard to the fourth suggestion in this report, DIRM believes that increasing the number of\nindependent security reviews (ISR) through component analysis for general support systems (GSS) is\ncounterproductive in light of the recent OIG \xe2\x80\x9cAudit of the FDIC\xe2\x80\x99s Information Technology Risk\nManagement Program\xe2\x80\x9d (Audit Number 2000-918). In that audit, the IG recommended reducing the\nnumber of ISRs performed to a more manageable number. DIRM agreed with that recommendation.\nAt this time, DIRM believes that increasing the number of GSS reviews by examining their individual\ncomponents will not substantially add to the \xe2\x80\x9clikelihood of learning useful information to improve\nsecurity\xe2\x80\x9d as defined in OMB A-130, Appendix III. As our ISR process matures, we look forward to\ncontinuing our cooperative dialogue with the IG\xe2\x80\x99s staff to ensure that we identify any additional process\nimprovements and potential best practices that could benefit our program. Our comments on each of\nthe specific suggestions are provided below.\n\nSuggestions: We suggest that the FDIC Chief Information Officer and DIRM Director ensure that\nDIRM\xe2\x80\x99s draft ISR policy is further developed, enhanced, and implemented for major applications and\ngeneral support systems. In so doing, the FDIC Chief Information Officer and DIRM Director should\nensure that:\n\n\n                                                        16\n\n\x0c1.\t Sample documents are developed for general support system ISRs to ensure the efficiency of the\n    ISR process and compliance with pertinent federal regulations.\n\n   DIRM Comment: DIRM agrees with this suggestion. The ISR procedure manual which is\n   currently under revision will contain sample documents for general support systems (GSS) as well as\n   for major applications (MA).\n\n2.\t Review procedures and test requirements for use in performing general support system ISRs are\n    developed to ensure the ISRs\xe2\x80\x99 compliance with OMB A-130 and NIST 800-18.\n\n   DIRM Comment: DIRM agrees with this suggestion. The revised ISR procedure currently under\n   revision will be based upon the review requirements contained in OMB A-130 and NIST 800-18.\n\n3.\t For major applications and general support systems, an initial assessment and then periodic updates\n    of FDIC IT security policies and standards are performed to ensure consistency with governing\n    federal regulations, standards, and best practices.\n\n   DIRM Comment: DIRM agrees with this suggestion. DIRM is conducting an evaluation of its IT\n   security policies and standards against applicable federal regulations to ensure that criteria used for\n   all ISRs continues to be consistent with governing regulations. Further, DIRM is updating its policy\n   on IT Security Risk Management to ensure that it reflects the requirements of OMB A-130,\n   Appendix III.\n\n4.\t Changes are made to the ISR program after ISRs of general support systems are completed and a\n    baseline is established so that: (a) general support system components that warrant individual\n    reviews are planned and conducted individually to enhance their value; (b) individual support system\n    components, particularly mainframe components that would warrant individual ISRs based on OMB\n    A-130 guidelines, are identified, scheduled, and prioritized based on their relative risk to the\n    Corporation; and (c) milestones for completing the ISRs are set based on the size of the\n    component.\n\n   DIRM Comment: Component reviews may provide more in-depth coverage but also would entail\n   significant resources. The suggestion seems to imply that some type of sensitivity assessment\n   questionnaire would have to be developed and implemented for GSS\xe2\x80\x99s that would identify\n   components and component risks within the GSS. This would in turn increase the number of\n   reviews that would need to be conducted. The Sensitivity Assessment Questionnaire (SAQ) that\n   measures the risk of major applications is undergoing revision as recommended in the Risk\n   Management Audit. It is expected, although not certain, that the revised SAQ will reduce the\n   number of MAs and thus save money and resources and increase the quality of the remaining ISRs\n   \xe2\x80\x93 all objectives of the former audit. It seems contrary to seek to reduce reviews in one area and\n   increase them in another. The savings in cost, the reduction in resources and the increased quality of\n   the reviews would be lost.\n\n\n\n\n                                                   17\n\n\x0c    Although these component reviews might be smaller if spread out, the burden on our internal clients\n    will increase if component-based ISRs are performed in their program areas every year instead of\n    once every three years. These areas already receive audit coverage from the OIG and GAO.\n    Recent GSS audits have not identified any significant threats to the Corporation. OMB A-130,\n    Appendix III states that \xe2\x80\x9cthe scope and frequency of the review should be commensurate with the\n    acceptable level of risk for the system,\xe2\x80\x9d and the \xe2\x80\x9clikelihood of learning useful information to improve\n    security\xe2\x80\x9d. At this time, DIRM believes that breaking GSSs into components for review would not\n    significantly improve security for these systems.\n\n5.\t Improvements are made to oversight to increase the involvement of DIRM\xe2\x80\x99s point of contact and\n    ensure that the ISR team: (a) develops an adequate test plan for confirming that controls are\n    working as intended and (b) provides a timeline that allows adequate time for finalizing supporting\n    working papers and draft deliverables, reviewing working papers and deliverables and resolving\n    reviewer comments, and obtaining feedback from the clients and making the appropriate report\n    revisions. In its adoption of an audit-type approach for the ISRs, DIRM should continue its efforts\n    to require adequate working papers to support all ISR findings, conclusions, and tests of major\n    controls and to ensure a timely review of all working papers.\n\n    DIRM Comment: DIRM agrees with this suggestion. Under the revised procedure, the ISR\n    Team Leader will be responsible for oversight and development of an adequate test plan and a\n    project plan that allows adequate time for all steps of the ISR to be performed and documented.\n    The Team Leader will be responsible for reviewing work papers and assuring that they provide\n    adequate support of the ISR findings, conclusions and tests. To improve oversight, the ISR\n    program has been moved to the Information Technology Evaluation Section (ITES) and the ISR\xe2\x80\x99s\n    themselves are being conducted by FDIC staff rather than contractors.\n\n6.\t The ISR reporting format is streamlined in a manner that will highlight the important issues, better\n    serve the client, and expedite the reporting process.\n\n    DIRM Comment: DIRM agrees with this suggestion. The revised ISR report format will highlight\n    important issues, better serve the client, and expedite the reporting process.\n\n7.\t Two separate reporting formats are developed \xe2\x80\x93 one format for ISRs of major applications and a\n    second format for ISRs of general support systems.\n\n    DIRM Comment: DIRM agrees with this suggestion. The revised ISR report format will be\n    customized to address those issues particular to major applications and those particular to general\n    support systems.\n\n8.\t The ISR report format is enhanced to clearly identify the work performed, level of testing, and\n    sampling methodology.\n\n    DIRM Comment: DIRM agrees with this suggestion. The revised ISR report format will clearly\n    identify work performed, level of testing, and sampling methodology.\n\n9.\t The ISR report format is revised to clearly present the security and integrity requirements,\n    conclusions, corrective actions, and related information applicable to the major application or\n                                                     18\n\n\x0c     general support system under review.\n\n     DIRM Comment: DIRM agrees with this suggestion. The revised ISR report format will clearly\n     present the security and integrity requirements, conclusions, corrective actions, and related\n     information applicable to the major application or general support system under review.\n\n10. Client feedback is obtained and considered during all phases of the ISR.\n\n     DIRM Comment: DIRM agrees with this suggestion. DIRM is using the OIG audit model as a\n     best practice in revising the ISR process. The client will be involved and encouraged to give\n     feedback throughout the ISR from the entrance conference, status meetings or notes to review and\n     input of the draft report. The ISR Team will have members from the client organization actively\n     involved in planning and conducting the ISR.\n\n11. Consideration is given to using a divisional or interdivisional team to perform certain phases or all\n    phases of the ISR.\n\n     DIRM Comment: DIRM agrees with this suggestion. The ISR Team will consist of members\n     from DIRM ITES, DIRM ISS, DIRM ASM, DIRM TIM, the client division and data stewards as\n     appropriate to the review.\n\n12. All ISR reports contain the views of responsible officials concerning conclusions, recommendations,\n    and planned corrective actions.\n\n     DIRM Comment: DIRM agrees with this suggestion. DIRM is using the OIG audit model as a\n     best practice in revising the ISR process. The views of responsible officials concerning conclusions,\n     recommendations and planned corrective actions will be obtained in a draft report and contained in\n     the final ISR report.\n\n13. A process or method is developed for resolving disagreements between the point of contact and the\n    ISR team.\n\n     DIRM Comment: DIRM agrees with this suggestion. DIRM is using the OIG audit model as a\n     best practice in revising ISR process. OICM will play the same role as dispute mediator in the ISR\n     process as it does in the audit process.\n\n\ncc: \t    Janet W. Roberson, Deputy Director, Information Technology Management\n         Rack D. Campbell, Chief, IT Evaluation Section\n\n\n\n\n                                                    19\n\n\x0c"